Vulnerability Development mailing list archives
Re: fooling hubs [ARP Spoofing]
From: David.Basden () STAFF OPTUSNET COM AU (David Basden)
Date: Thu, 10 Feb 2000 14:08:21 +1100
I'm not sure about the Motorolla gear (which is proprietry), but any DOCSIS 1.0 compliant gear has a MAC address on the cable interface of the CM as well as the ethernet interface. Any MAC addresses that are `behind' the cable modem, on the ethernet interface, are shown to the CMTS (head-end gear) as `behind' the CM's cable interface. With DOCSIS 1.0 stuff, both the CM and the computers behind it use DHCP to get their IP number, but the CMTS can tell the difference between requests from the CM during negotiation and computers DHCPing from behind this. Hence you can magically just use any amount DHCPing clients behind the CM's, up to a limit defined by the CMTS. I suspect however, the Motorolla kit works totally differently. :-) . D On Wed, Feb 09, 2000 at 10:11:54AM -0500, Clifford, Shawn A wrote:
Hmmm... Road Runner must do something different on the Time Warner Cable system here in Orlando, Florida. First, the tech never installed the (crappy) software on my computer, because I already had DHCP turned on and once I kicked the service it grabbed an IP address just fine. The tech told me the software sucks, so I have never bothered to install it. Two, I have a hub hanging off of the cable modem and I have two computers DHCP'ing through the cable modem just fine. They both run simultaneously. One is NT the other is 98SE. Throughput doesn't seem to be degraded on either machine while doing "parallel" downloads. And the addresses are in the same broadcast domain, which happens to be a 9-bit broadcast mask (ie. subnet mask = 255.255.254.0). I've heard from someone else at my work that he has a 7-bit broadcast mask (subnet = 255.255.255.128). Weird. Guess it is a much smaller switch in his neighborhood. So, the switches here, anyway, are configured and are capable of handling multiple MAC addresses per port. -- Shawn-----Original Message----- From: H D Moore [mailto:secure () SECUREAUSTIN COM] Sent: Monday, February 07, 2000 8:12 AM To: VULN-DEV () SECURITYFOCUS COM Subject: Re: fooling hubs [ARP Spoofing] Hi, Road Runner uses the modem serial number in conjunction with special routing hard/software to determine your usage. This means that you cant just snag someone elses MAC/IP because the switch know what serial number goes to which port. How the switch recieves the serial number is unknown, I think it is done during the initial setup when the modem is being 'registered' by the tech that installs it. Using a program like changemac just annoys thier admins, as it looks like you have multiple computers and are switching between them (a friend of mine works at the cable co and told me how they track usage/etc). If anyone knows something to the contrary or know what protocol the Motorola Waverunner modems use to register themselves (or about the switches used), please let me know! -HD Jeff Bachtel wrote:Oddly enough, there was a post to misc () openbsd org from aguy who saidhe found a way to treble his upload speed on his cablemodem by proxyarp'ing to the mac address of his cable modem. I don't know how well that would work with differentproviders, but ifsomeone hacks together a little windows utility to sniff out the arp of the cable modem, and set windows to start proxying it automatically, that would seem likely to regress cablemodem back intothe good ol' (or bad ol') days of near-unlimited bandwidth. Does anyone know the likelihood of this actually working? jeff On Thu, Feb 03, 2000 at 10:05:34PM +0000, David aka SpanskA wrote:Hi, I was looking at ARP spoofing postings for a while andI was wondering ifit was possible to permanently fool some hubs or routers. My ISP (Cablevision) is using some kind of system to know howmuch I'm uploadingand downloading. I succesfully did it one time with a little prog called"changemac". If youwanna look at it just go to packetstorm archive.Unfortunately, the lastmonth I checked the data report I could see that my ISPwas able to know(again!) how much I was downloading and uploading. Is this a bug with some kind of hardware or with ARP protocol? Sorry for my English mistakes...
Current thread:
- its: recursion, (continued)
- its: recursion Pauli Ojanpera (Feb 09)
- Re: its: recursion Sean Burford (Feb 09)
- Hellvisory #0001! Lucifer Mirza (Feb 09)
- Re: its: recursion Blue Boar (Feb 09)
- Re: its: recursion Dmitry Alyabyev (Feb 10)
- Re: recursion Blake Frantz (Feb 09)
- Re: Notes Domino Server Platform for e-commerce? Gerardo Richarte (Feb 10)
- Re: fooling hubs [ARP Spoofing] Bobb Voigt (Feb 11)
- Re: fooling hubs [ARP Spoofing] David Basden (Feb 09)